It is common for enterprises to monitor out-going network web traffic. Such out-going web connections are ideally largely enterprise-related (for example, communications with customers, affiliates, and partner sites), in support of system operations, or required by employees to perform corresponding job duties. In practice, however, a myriad of diverse activities are conducted within an enterprise over the hypertext transfer protocol (HTTP). A portion of such activities are commonly associated with benign user activities, such as web browsing and social media use, but it has also become increasingly common for malware and attackers to conduct suspect activities over HTTP in an attempt to blend into network activity and evade detection.
One conventional approach to preventing malicious activity on a computer network is to scan network traffic for malicious signatures listed on a signature blacklist. For example, network devices such as a firewall can be configured to block network traffic containing a specific domain (i.e., website), a specific IP address, or a specific Uniform Resource Locator (URL). Some network devices may even block network traffic if the network devices find blacklisted signatures within files, javascript and/or Flash objects.
Unfortunately, the above technique has disadvantages. For example, the above approach does not detect communications with potential “watering-hole” domains. These are legitimate domains likely visited by employees in a targeted organization that are compromised deliberately by attackers as a stepping stone to infect the victim enterprise. Typically, these websites are relatively popular within an enterprise, but not necessarily popular relative to a larger user population. Examples of potential “watering-hole” sites are a restaurant located close to the company or a development forum frequently accessed by company developers.
Accordingly, a need exists for further techniques that can detect potentially malicious websites.